CVE-2024-9648 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the WP ULike Pro plugin for WordPress. The root cause is insufficient validation of uploaded file types in the WP_Ulike_Pro_File_Uploader class, allowing unauthenticated attackers to upload files with potentially dangerous extensions such as .php2, .php6, .phps, .pht, .phtm, .pgif, .shtml, .phar, .inc, .hphp, .ctp, .module, .html, and .svg. These file types can be used to execute malicious scripts or embed malicious content on the server, potentially leading to Cross-Site Scripting (XSS) or other code execution attacks if the server processes these files improperly. The vulnerability affects all versions up to and including 1.9.3, with 1.9.4 being the first patched release. Exploitation does not require authentication but does require user interaction in the form of file upload attempts. The CVSS v3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, and user interaction required. The vulnerability has not been observed exploited in the wild yet, but the risk remains significant due to the nature of file upload vulnerabilities and the popularity of WordPress plugins. The vulnerability's scope is limited to websites using the affected WP ULike Pro versions, but the impact can be severe if exploited, enabling attackers to bypass security controls and execute malicious payloads on the server.

Organizations running WordPress sites with the WP ULike Pro plugin versions up to 1.9.3 are at risk of unauthorized file uploads that can lead to server-side code execution or Cross-Site Scripting attacks. This can compromise the confidentiality and integrity of website data, deface websites, or enable attackers to pivot to internal networks. The vulnerability can result in reputational damage, data breaches, and potential downtime. Since the vulnerability requires no authentication, any external attacker can attempt exploitation, increasing the attack surface. The ability to upload files with executable extensions may allow attackers to deploy web shells or backdoors, facilitating persistent access and further exploitation. This threat is particularly impactful for organizations relying on WordPress for customer-facing websites, e-commerce, or content management, where trust and uptime are critical. Although no known exploits are currently reported, the ease of exploitation and the widespread use of WordPress plugins elevate the risk of future attacks.

1. Immediately update WP ULike Pro to version 1.9.4 or later, which contains the patch for this vulnerability. 2. Implement strict server-side validation of uploaded files, restricting allowed file types to only those necessary for legitimate functionality, and explicitly blocking executable or script-related extensions. 3. Employ web application firewalls (WAFs) with rules to detect and block suspicious file uploads or requests containing dangerous file extensions. 4. Configure the web server to prevent execution of uploaded files in directories used for uploads, for example, by disabling script execution in upload folders via .htaccess or server configuration. 5. Monitor upload directories and logs for unusual file uploads or access patterns indicative of exploitation attempts. 6. Educate site administrators about the risks of unrestricted file uploads and enforce least privilege principles for user roles that can upload files. 7. Regularly audit and scan WordPress plugins for vulnerabilities and keep all components updated to minimize exposure.